1
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
5
* An open source application development framework for PHP 5.1.6 or newer
8
* @author ExpressionEngine Dev Team
9
* @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
10
* @license http://codeigniter.com/user_guide/license.html
11
* @link http://codeigniter.com
16
// ------------------------------------------------------------------------
21
* @package CodeIgniter
22
* @subpackage Libraries
24
* @author ExpressionEngine Dev Team
25
* @link http://codeigniter.com/user_guide/libraries/sessions.html
29
var $sess_encrypt_cookie = FALSE;
30
var $sess_use_database = FALSE;
31
var $sess_table_name = '';
32
var $sess_expiration = 7200;
33
var $sess_expire_on_close = FALSE;
34
var $sess_match_ip = FALSE;
35
var $sess_match_useragent = TRUE;
36
var $sess_cookie_name = 'ci_session';
37
var $cookie_prefix = '';
38
var $cookie_path = '';
39
var $cookie_domain = '';
40
var $cookie_secure = FALSE;
41
var $sess_time_to_update = 300;
42
var $encryption_key = '';
43
var $flashdata_key = 'flash';
44
var $time_reference = 'time';
45
var $gc_probability = 5;
46
var $userdata = array();
53
* The constructor runs the session routines automatically
54
* whenever the class is instantiated.
56
public function __construct($params = array())
58
log_message('debug', "Session Class Initialized");
60
// Set the super object to a local variable for use throughout the class
61
$this->CI =& get_instance();
63
// Set all the session preferences, which can either be set
64
// manually via the $params array above or via the config file
65
foreach (array('sess_encrypt_cookie', 'sess_use_database', 'sess_table_name', 'sess_expiration', 'sess_expire_on_close', 'sess_match_ip', 'sess_match_useragent', 'sess_cookie_name', 'cookie_path', 'cookie_domain', 'cookie_secure', 'sess_time_to_update', 'time_reference', 'cookie_prefix', 'encryption_key') as $key)
67
$this->$key = (isset($params[$key])) ? $params[$key] : $this->CI->config->item($key);
70
if ($this->encryption_key == '')
72
show_error('In order to use the Session class you are required to set an encryption key in your config file.');
75
// Load the string helper so we can use the strip_slashes() function
76
$this->CI->load->helper('string');
78
// Do we need encryption? If so, load the encryption class
79
if ($this->sess_encrypt_cookie == TRUE)
81
$this->CI->load->library('encrypt');
84
// Are we using a database? If so, load it
85
if ($this->sess_use_database === TRUE AND $this->sess_table_name != '')
87
$this->CI->load->database();
90
// Set the "now" time. Can either be GMT or server time, based on the
91
// config prefs. We use this to set the "last activity" time
92
$this->now = $this->_get_time();
94
// Set the session length. If the session expiration is
95
// set to zero we'll set the expiration two years from now.
96
if ($this->sess_expiration == 0)
98
$this->sess_expiration = (60*60*24*365*2);
101
// Set the cookie name
102
$this->sess_cookie_name = $this->cookie_prefix.$this->sess_cookie_name;
104
// Run the Session routine. If a session doesn't exist we'll
105
// create a new one. If it does, we'll update it.
106
if ( ! $this->sess_read())
108
$this->sess_create();
112
$this->sess_update();
115
// Delete 'old' flashdata (from last request)
116
$this->_flashdata_sweep();
118
// Mark all new flashdata as old (data will be deleted before next request)
119
$this->_flashdata_mark();
121
// Delete expired sessions if necessary
124
log_message('debug', "Session routines successfully run");
127
// --------------------------------------------------------------------
130
* Fetch the current session data if it exists
138
$session = $this->CI->input->cookie($this->sess_cookie_name);
140
// No cookie? Goodbye cruel world!...
141
if ($session === FALSE)
143
log_message('debug', 'A session cookie was not found.');
147
// Decrypt the cookie data
148
if ($this->sess_encrypt_cookie == TRUE)
150
$session = $this->CI->encrypt->decode($session);
154
// encryption was not used, so we need to check the md5 hash
155
$hash = substr($session, strlen($session)-32); // get last 32 chars
156
$session = substr($session, 0, strlen($session)-32);
158
// Does the md5 hash match? This is to prevent manipulation of session data in userspace
159
if ($hash !== md5($session.$this->encryption_key))
161
log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
162
$this->sess_destroy();
167
// Unserialize the session array
168
$session = $this->_unserialize($session);
170
// Is the session data we unserialized an array with the correct format?
171
if ( ! is_array($session) OR ! isset($session['session_id']) OR ! isset($session['ip_address']) OR ! isset($session['user_agent']) OR ! isset($session['last_activity']))
173
$this->sess_destroy();
177
// Is the session current?
178
if (($session['last_activity'] + $this->sess_expiration) < $this->now)
180
$this->sess_destroy();
184
// Does the IP Match?
185
if ($this->sess_match_ip == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())
187
$this->sess_destroy();
191
// Does the User Agent Match?
192
if ($this->sess_match_useragent == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 120)))
194
$this->sess_destroy();
198
// Is there a corresponding session in the DB?
199
if ($this->sess_use_database === TRUE)
201
$this->CI->db->where('session_id', $session['session_id']);
203
if ($this->sess_match_ip == TRUE)
205
$this->CI->db->where('ip_address', $session['ip_address']);
208
if ($this->sess_match_useragent == TRUE)
210
$this->CI->db->where('user_agent', $session['user_agent']);
213
$query = $this->CI->db->get($this->sess_table_name);
215
// No result? Kill it!
216
if ($query->num_rows() == 0)
218
$this->sess_destroy();
222
// Is there custom data? If so, add it to the main session array
223
$row = $query->row();
224
if (isset($row->user_data) AND $row->user_data != '')
226
$custom_data = $this->_unserialize($row->user_data);
228
if (is_array($custom_data))
230
foreach ($custom_data as $key => $val)
232
$session[$key] = $val;
239
$this->userdata = $session;
245
// --------------------------------------------------------------------
248
* Write the session data
253
function sess_write()
255
// Are we saving custom data to the DB? If not, all we do is update the cookie
256
if ($this->sess_use_database === FALSE)
258
$this->_set_cookie();
262
// set the custom userdata, the session data we will set in a second
263
$custom_userdata = $this->userdata;
264
$cookie_userdata = array();
266
// Before continuing, we need to determine if there is any custom data to deal with.
267
// Let's determine this by removing the default indexes to see if there's anything left in the array
268
// and set the session data while we're at it
269
foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
271
unset($custom_userdata[$val]);
272
$cookie_userdata[$val] = $this->userdata[$val];
275
// Did we find any custom data? If not, we turn the empty array into a string
276
// since there's no reason to serialize and store an empty array in the DB
277
if (count($custom_userdata) === 0)
279
$custom_userdata = '';
283
// Serialize the custom data array so we can store it
284
$custom_userdata = $this->_serialize($custom_userdata);
287
// Run the update query
288
$this->CI->db->where('session_id', $this->userdata['session_id']);
289
$this->CI->db->update($this->sess_table_name, array('last_activity' => $this->userdata['last_activity'], 'user_data' => $custom_userdata));
291
// Write the cookie. Notice that we manually pass the cookie data array to the
292
// _set_cookie() function. Normally that function will store $this->userdata, but
293
// in this case that array contains custom data, which we do not want in the cookie.
294
$this->_set_cookie($cookie_userdata);
297
// --------------------------------------------------------------------
300
* Create a new session
305
function sess_create()
308
while (strlen($sessid) < 32)
310
$sessid .= mt_rand(0, mt_getrandmax());
313
// To make the session ID even more secure we'll combine it with the user's IP
314
$sessid .= $this->CI->input->ip_address();
316
$this->userdata = array(
317
'session_id' => md5(uniqid($sessid, TRUE)),
318
'ip_address' => $this->CI->input->ip_address(),
319
'user_agent' => substr($this->CI->input->user_agent(), 0, 120),
320
'last_activity' => $this->now,
325
// Save the data to the DB if needed
326
if ($this->sess_use_database === TRUE)
328
$this->CI->db->query($this->CI->db->insert_string($this->sess_table_name, $this->userdata));
332
$this->_set_cookie();
335
// --------------------------------------------------------------------
338
* Update an existing session
343
function sess_update()
345
// We only update the session every five minutes by default
346
if (($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now)
351
// Save the old session id so we know which record to
352
// update in the database if we need it
353
$old_sessid = $this->userdata['session_id'];
355
while (strlen($new_sessid) < 32)
357
$new_sessid .= mt_rand(0, mt_getrandmax());
360
// To make the session ID even more secure we'll combine it with the user's IP
361
$new_sessid .= $this->CI->input->ip_address();
363
// Turn it into a hash
364
$new_sessid = md5(uniqid($new_sessid, TRUE));
366
// Update the session data in the session data array
367
$this->userdata['session_id'] = $new_sessid;
368
$this->userdata['last_activity'] = $this->now;
370
// _set_cookie() will handle this for us if we aren't using database sessions
371
// by pushing all userdata to the cookie.
374
// Update the session ID and last_activity field in the DB if needed
375
if ($this->sess_use_database === TRUE)
377
// set cookie explicitly to only have our session data
378
$cookie_data = array();
379
foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
381
$cookie_data[$val] = $this->userdata[$val];
384
$this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
388
$this->_set_cookie($cookie_data);
391
// --------------------------------------------------------------------
394
* Destroy the current session
399
function sess_destroy()
401
// Kill the session DB row
402
if ($this->sess_use_database === TRUE && isset($this->userdata['session_id']))
404
$this->CI->db->where('session_id', $this->userdata['session_id']);
405
$this->CI->db->delete($this->sess_table_name);
410
$this->sess_cookie_name,
411
addslashes(serialize(array())),
412
($this->now - 31500000),
414
$this->cookie_domain,
419
$this->userdata = array();
422
// --------------------------------------------------------------------
425
* Fetch a specific item from the session array
431
function userdata($item)
433
return ( ! isset($this->userdata[$item])) ? FALSE : $this->userdata[$item];
436
// --------------------------------------------------------------------
439
* Fetch all session data
444
function all_userdata()
446
return $this->userdata;
449
// --------------------------------------------------------------------
452
* Add or change data in the "userdata" array
459
function set_userdata($newdata = array(), $newval = '')
461
if (is_string($newdata))
463
$newdata = array($newdata => $newval);
466
if (count($newdata) > 0)
468
foreach ($newdata as $key => $val)
470
$this->userdata[$key] = $val;
477
// --------------------------------------------------------------------
480
* Delete a session variable from the "userdata" array
485
function unset_userdata($newdata = array())
487
if (is_string($newdata))
489
$newdata = array($newdata => '');
492
if (count($newdata) > 0)
494
foreach ($newdata as $key => $val)
496
unset($this->userdata[$key]);
503
// ------------------------------------------------------------------------
506
* Add or change flashdata, only available
507
* until the next request
514
function set_flashdata($newdata = array(), $newval = '')
516
if (is_string($newdata))
518
$newdata = array($newdata => $newval);
521
if (count($newdata) > 0)
523
foreach ($newdata as $key => $val)
525
$flashdata_key = $this->flashdata_key.':new:'.$key;
526
$this->set_userdata($flashdata_key, $val);
531
// ------------------------------------------------------------------------
534
* Keeps existing flashdata available to next request.
540
function keep_flashdata($key)
542
// 'old' flashdata gets removed. Here we mark all
543
// flashdata as 'new' to preserve it from _flashdata_sweep()
544
// Note the function will return FALSE if the $key
545
// provided cannot be found
546
$old_flashdata_key = $this->flashdata_key.':old:'.$key;
547
$value = $this->userdata($old_flashdata_key);
549
$new_flashdata_key = $this->flashdata_key.':new:'.$key;
550
$this->set_userdata($new_flashdata_key, $value);
553
// ------------------------------------------------------------------------
556
* Fetch a specific flashdata item from the session array
562
function flashdata($key)
564
$flashdata_key = $this->flashdata_key.':old:'.$key;
565
return $this->userdata($flashdata_key);
568
// ------------------------------------------------------------------------
571
* Identifies flashdata as 'old' for removal
572
* when _flashdata_sweep() runs.
577
function _flashdata_mark()
579
$userdata = $this->all_userdata();
580
foreach ($userdata as $name => $value)
582
$parts = explode(':new:', $name);
583
if (is_array($parts) && count($parts) === 2)
585
$new_name = $this->flashdata_key.':old:'.$parts[1];
586
$this->set_userdata($new_name, $value);
587
$this->unset_userdata($name);
592
// ------------------------------------------------------------------------
595
* Removes all flashdata marked as 'old'
601
function _flashdata_sweep()
603
$userdata = $this->all_userdata();
604
foreach ($userdata as $key => $value)
606
if (strpos($key, ':old:'))
608
$this->unset_userdata($key);
614
// --------------------------------------------------------------------
624
if (strtolower($this->time_reference) == 'gmt')
627
$time = mktime(gmdate("H", $now), gmdate("i", $now), gmdate("s", $now), gmdate("m", $now), gmdate("d", $now), gmdate("Y", $now));
637
// --------------------------------------------------------------------
640
* Write the session cookie
645
function _set_cookie($cookie_data = NULL)
647
if (is_null($cookie_data))
649
$cookie_data = $this->userdata;
652
// Serialize the userdata for the cookie
653
$cookie_data = $this->_serialize($cookie_data);
655
if ($this->sess_encrypt_cookie == TRUE)
657
$cookie_data = $this->CI->encrypt->encode($cookie_data);
661
// if encryption is not used, we provide an md5 hash to prevent userside tampering
662
$cookie_data = $cookie_data.md5($cookie_data.$this->encryption_key);
665
$expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time();
669
$this->sess_cookie_name,
673
$this->cookie_domain,
678
// --------------------------------------------------------------------
683
* This function first converts any slashes found in the array to a temporary
684
* marker, so when it gets unserialized the slashes will be preserved
690
function _serialize($data)
694
foreach ($data as $key => $val)
698
$data[$key] = str_replace('\\', '{{slash}}', $val);
704
if (is_string($data))
706
$data = str_replace('\\', '{{slash}}', $data);
710
return serialize($data);
713
// --------------------------------------------------------------------
718
* This function unserializes a data string, then converts any
719
* temporary slash markers back to actual slashes
725
function _unserialize($data)
727
$data = @unserialize(strip_slashes($data));
731
foreach ($data as $key => $val)
735
$data[$key] = str_replace('{{slash}}', '\\', $val);
742
return (is_string($data)) ? str_replace('{{slash}}', '\\', $data) : $data;
745
// --------------------------------------------------------------------
750
* This deletes expired session rows from database
751
* if the probability percentage is met
758
if ($this->sess_use_database != TRUE)
764
if ((rand() % 100) < $this->gc_probability)
766
$expire = $this->now - $this->sess_expiration;
768
$this->CI->db->where("last_activity < {$expire}");
769
$this->CI->db->delete($this->sess_table_name);
771
log_message('debug', 'Session garbage collection performed.');
779
/* End of file Session.php */
780
/* Location: ./system/libraries/Session.php */
b'\\ No newline at end of file'
added
removed
codeigniter/system/libraries/Session.php
